Hi 2gether Yesterday I tried to implement the SSH chroot on my ISPC-Server. I followed the how-to on http://www.howtoforge.com/chrooted_ssh_howto_debian. I got several problems. I found serveral solutions on the forum. I did the mistake with the APPS-Line (not on one line). I had the problem, that I could login chrooted with WinSCP but not with PuTTy (which means, even I could login with the chrooted users, I got the error "no such file or directory" and it didn't showed me any files/directories). So I did the how-to again, from the step with the APPS-Line. Then I did this from the tutorial: I got errors that it can't find "etc/passwd". So I was sick and tired and did the big mistake. I just replaced everywhere "etc/passwd" with "/etc/passwd". that means I've entered: Now my Server can't find the PWDs anymore, I think. I can't login with SSH or FTP, even not with root...I even can't login at the console ... PLEASE HELP! Is there any chance or way to correct my mistake? Any help will greatly be appreciated!
If you use ISPConfig, then you do not need the chroot creation script at all. Please just enable chrroting in the file /root/admispconfig/ispconfig/lib/config.inc.php. Every new or updated user that you create in ISPConfig will be chrooted.
So I messed it up now... Because I'd already followed the general tutorial for ssh chroot...And it would have been that easy just to change 0 to 1.. And now it's a big mess on my server... can you PLEASE help me to roll back what I've done? THAT WOULD BE REALLY REALLY GREAT!!! It's a productive server that's why it's really concerning me. Nobody has access via SSH/FTP/console...I'm really desperate. BTW: I'm running Debian Sarge 3.1. Is there a way of "rescue mode" for debian or how can I get access on my machine again? Now it's limited to webaccess only... I'm really counting on you because I have no clue how to fix that...
What about Debian Rescue Mode? I've found something in the net, but I'm scared to use that. If I shut down my server, perhaps it will never start up again? Now the webs still are accessible, even though users don't have FTP/SSH access. No access at all would be far worse... So, can I dare to shut it down and start with debian CD and rescue mode? Or do you have any other ideas how I could get access to my server again? And if rescue mode would be worth trying, WHAT do I have to do to get PWDs working again? Somehow I need to roll back that crap I've done.. Perhaps with a CD Distro like Knoppix? If yes, what have I to do? I'm really really desperate...
Again... Again me..I'm sorry...but my problem is complete now! I shut down my system, tried to rescue with knoppix...but I don't get it. I even don't know what to do. I can't find the user password list! in /etc/passwd there is only ONE user left, the chrooted one...and I can't do anything with it, even not SU... Now I can't start my server anymore, because it says it can't find the user database at start up. So there are completely no users, and no services can be started. My server and websites are down now... Where has gone my users list??? WHAT CAN I only DO...? I beg you all cracks, mercy me...and help
Hi till That was my idea too. So I searched my system for that and finally, to my big, very VERY BIG relief and THANK ISPConfig, you and GOD , I found backup files for passwd, groups and shadow in /var/backups. I've copied them to the /etc folder and my system is up and running again! Thanks so much, it's like getting a new life . But still, the problem with chroot persists. I have two ISPC Boxes. One of them is a fresh install. Like you suggested in a previous reply to this thread, I tried just to change the value from 0 to 1 for $go_info["server"]["ssh_chroot"] = 1; in the file /home/admispconfig/ispconfig/lib/config.inc.php and restarted ispconfig_server. With the result I got the necessary directories and files for each user (bin/lib/usr). I created a new user afterwards. A glance into /etc/passwd shows me, there is the /./ for the user dir. But if I connect with WinSCP or PuTTY with that new user, it's still no problem to break out of "his" directory... On the other hand, on the other, just rescued system, where I tried to apply the tutorial for ssh chrooted, the new created users are chrooted, but I have no access to the files, because with WinSCP I get an "permisson denied" error and with PuTTy the output e.g. for "dir" is "no such file or directory" and I have also no permissions.
BTW: It seems I have a similar or the same prob like jonwatson had here: http://www.howtoforge.com/forums/showthread.php?t=4373&page=3&highlight=ssh+chroot and http://www.howtoforge.com/forums/showthread.php?t=1739&page=2&highlight=`.//bin/bash' But it is no help for me out of these threads. If I try to log-in with the new created user with WinSCP I get following error: Code: Command 'groups' failed with return code 126 and error message -bash: line 31: /usr/bin/groups: Permission denied. I tried to redo the how-to for ssh chrooted. I noticed following erros which I already got the first time I tried, if I run the script on page 2 of the tutorial with echo "cp $1 ./$1": Code: cp: cannot create regular file `.//bin/bash': No such file or directory cp /lib/libncurses.so.5 .//lib/libncurses.so.5 cp /lib/libdl.so.2 .//lib/libdl.so.2 cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//bin/ls': No such file or directory cp /lib/librt.so.1 .//lib/librt.so.1 cp /lib/libacl.so.1 .//lib/libacl.so.1 cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/libpthread.so.0 .//lib/libpthread.so.0 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp /lib/libattr.so.1 .//lib/libattr.so.1 cp: cannot create regular file `.//bin/mkdir': No such file or directory cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//bin/mv': No such file or directory cp /lib/libacl.so.1 .//lib/libacl.so.1 cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/libattr.so.1 .//lib/libattr.so.1 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//bin/pwd': No such file or directory cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//bin/rm': No such file or directory cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//usr/bin/id': No such file or directory cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//usr/bin/ssh': No such file or directory cp /lib/libresolv.so.2 .//lib/libresolv.so.2 cp /usr/lib/i686/cmov/libcrypto.so.0.9.7 .//usr/lib/i686/cmov/libcrypto.so.0.9.7 cp /lib/libutil.so.1 .//lib/libutil.so.1 cp /usr/lib/libz.so.1 .//usr/lib/libz.so.1 cp /lib/libnsl.so.1 .//lib/libnsl.so.1 cp /lib/libcrypt.so.1 .//lib/libcrypt.so.1 cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/libdl.so.2 .//lib/libdl.so.2 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//bin/ping': No such file or directory cp /lib/libresolv.so.2 .//lib/libresolv.so.2 cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 cp: cannot create regular file `.//usr/bin/dircolors': No such file or directory cp /lib/libc.so.6 .//lib/libc.so.6 cp /lib/ld-linux.so.2 .//lib/ld-linux.so.2 And if I try to go on with the tutorial: Code: touch etc/passwd I get following error: Code: touch: cannot touch `etc/passwd': No such file or directory and with: Code: reg:~# grep /etc/passwd -e "^root" > etc/passwd I get: Code: -bash: etc/passwd: No such file or directory and also with the following line of the tutorial: Code: reg:~# grep /etc/group -e "^root" -e "^users" > etc/group I get following error: Code: -bash: etc/group: No such file or directory
You're in the wrong directory. Please do this again: Code: mkdir /home/chroot/ mkdir /home/chroot/home/ cd /home/chroot mkdir etc mkdir bin mkdir lib mkdir usr mkdir usr/bin mkdir dev mknod dev/null c 1 3 mknod dev/zero c 1 5 and then try your above commands again.
Great! But... Thx Falko! Great, now the installation worked without errors. I was really in the wrong directory. But I still got the following problems: If I try to connect with WinSCP (in SCP or SFTP mode) I get following error: Code: Command 'groups' failed with return code 126 and error message -bash: line 31: /usr/bin/groups: Permission denied. I tried to set 0755 for "groups" in usr/bin folder of the user himself. Then I get the following error: Code: Command 'groups' failed with return code 1 and error message id: cannot find name for group ID 10019. If I try to connect with PuTTy there is actually no error, but e.g. "dir" doesn't work. It tells me no such file or directory. Have you any idea how to solve this?
It's following output: Code: reg:~# ls -la /usr/bin/groups -rwxr-xr-x 1 root root 1675 Jul 16 2004 /usr/bin/groups and Code: reg:~# ls -la /home/chroot/usr/bin/groups -rw-r--r-- 1 root staff 19 Apr 21 16:25 /home/chroot/usr/bin/groups
Now I get following error: Code: Command 'groups' failed with return code 1 and error message id: cannot find name for group ID 10002.
WinSCP and chroot I've found that on the net: -> WinSCP 2.0 compatibility " This is only a problem when you are also using WinSCP compatibiliy, because WinSCP will attempt to run "groups" upon connection initialization. You have three choices: - you can either put /bin/sh in your jail, which is a security problem - you can deselect "lookup user groups" in the WinSCP configuration - you can "make groups" using the provided groups.c and move the fake groups program into your chroot. " That is exactely my problem. Can you help me how to do the third propose on ISPConfig? Should I add this to the ssh_chroot_script in ISPConfig? And if yes, what exactly should I add?
In the ssh chroot script there is a variable which contains all programs that where installed in the chroot enviroment. Please try to add the groups program there too and then update the user in ISPConfig so the chroot enviroment is updated.
